India Open Sources Its Contact-Tracing App

India has released the source code of its contact-tracing app, Aarogya Setu, to the relief of privacy and security experts who have been advocating for this ever since the app launched in early April. From a report: Ministry of Electronics and Information Technology Secretary Ajay Prakash Sawhney made the announcement on Tuesday, dubbing the move "opening the heart" of the Aarogya Setu app to allow engineers to inspect and tinker with the code. The app has amassed over 114 million users in less than two months -- an unprecedented scale globally. The source code of Aarogya Setu's Android app is live on GitHub with code of iOS and KaiOS apps slated to release in a "few weeks." Nearly 98% of the app's users are on the Android platform. Sawhney said the government will also offer cash prizes of up to $1,325 to security experts for identifying and reporting bugs and vulnerabilities. "Open-sourcing Aarogya Setu is a unique feat for India. No other government product anywhere in the world has been open-sourced at this scale," said Amitabh Kant, chief executive of government-run think-tank NITI Aayog, in a press conference today.

Re:

[Kernel Kurtz]

Unless you can confirm the code that sits in git is representative of the code that sits in the app store this is meaningless.

Which is probably true for most everything on Github, and indeed source code in general.

Re:

[Kernel Kurtz]

Not on my machine. Maybe yours. You should at least compare the hashes on the packages.

I routinely check signature checksums provided by the people who built a program. I rarely (actually never) compile binaries from source just to compare to downloaded ones though I could certainly do that on my PC if I was so motivated. For my phone, unless I knew I had an identical build environment I would not even try, but the code is there so others can, and hopefully will do. For practical purposes, that is good enough for most people. If it is not you should probably not own a smartphone cause I d

Can I compile and compare it?

[Opportunist]

Can I compile the code and verify that the app in the app store is indeed binary identical to the one I just compiled from the source?

Re:

[Opportunist]

Whether you can is not only dependent on your own skill. I bring the skill, do they bring the rest?

Re:

[Kernel Kurtz]

Can I compile the code and verify that the app in the app store is indeed binary identical to the one I just compiled from the source?

Can you? Or can Somebody? Those are vastly different burdens.

Near as I can tell if you run Debian the answer is mostly.

https://wiki.debian.org/Reprod... [debian.org]

Apps on your phone OTOH, probably not so much. Likely someone else will have to check.

Re:

[guruevi]

Why would you need to? You can just inspect the code and see that it is designed to spy on you.
https://github.com/ubuntulover... [github.com]

Re:

[drinkypoo]

If you don't compile it and run your own build, then you don't know that it's the code you were looking at. (Even if you do, there are tricks for that, too.)

Re:

[yes-but-no]

What is binaries are indentical but playstore sent you a spiked one? What if playstore sent the right one, but android had a backdoor to install a spiked one? What if android is safe, but someone installed a spiked version when you were not looking (forgot to lock n slept)?

Re:

[Opportunist]

How do I verify that this is the code that was actually used to build the binary I get?

Fuck India

[AndyKron]

Fuck India and their treatment of their Muslim citizens and get the FUCK out of Kashmir!

Re:

[belmolis]

India's current treatment of Muslims is very poor, but turning Kashmir over to Pakistan is a bad idea. Until recently India treated Muslims well, and the ones in Kashmir would have been just fine had they and Pakistan not engaged in a nasty terror war against India. The Indian response has indeed been harsh, but the Muslims and Pakistan started it. If Kashmir had been made part of Pakistan, that would have been a disaster for the large non-Muslim minority. Non-Muslims and even the wrong kid of Muslim (Ahma

Re:

[palemantle]

You don't have a FUCKING clue but still feel the need to mouth off, eh?

India has the third highest Muslim population in the world. Leave the nut jobs aside and, by and large, Indian Muslims will tell you they live better and are safer than they'd be in many Islamic republics.

Muslims in India are allowed to practice their own civil law cos the more extremist elements don't want any part of the national common code: https://en.wikipedia.org/wiki/... [wikipedia.org]

Muslims in many states (though decidedly not on a na

Re:

[teeman90]

Muslim terrorists started this. a) First, they drove away all Hindus [https://indianexpress.com/article/explained/exodus-of-kashmiri-pandits-from-valley-6232410/] b) They stopped allowing other religious people from doing any business in Kashmir c) They sent terrorists from pakistan and poisoned kashmiri muslim youth to kill and plunder. d) Attacked Indian parliament, Taj hotel in bombay and many other tourist places. e) They are directly responsible for starting the jihadi war against India and the killing

Re:

[gruumine]

As a Pakistani, I agree that Pakistan (the gov, army, and ppl) did a lot of bad things in the past. We should (1) learn from our mistakes and let's not repeat it, (2) apologize for it and (3) kick out those fucking terrorists we breed.

Australia did this weeks ago

[batkiwi]

https://github.com/AU-COVIDSaf... [github.com]

I believe singapore did as well.

So this is great, but how is it unprecedented?